Changes published in 2021 went into final effect in June 2023. Now, regulators are stepping up their review.
We've been seeing the impact of the updated CyberSecurity examinations prompted by the December 2021 FTC rule revisions. Regulators are dumping massive checklists into the exam load, and most companies don't have the bandwidth to address it. It's a hefty load, but it's worth going through to establish a baseline.
Click here for the updated rule
Click here for the CSBS Model Examination Form for non-banks
The word you will see the most in an examination citation is "implementation." This means that, no matter how good your model policy is, if you're not doing - or have evidence that you can do - the things the rule requires, you'll likely be cited.
Like every good compliance program, policies and procedures are simply part of a complete IT Security Plan. There are 4 pillars of every compliance program:
- a compliance officer,
- policies and procedures
- training, and
- testing/auditing.
Location of IT Security Questionnaire Items in 2-9 IT/CyberSecurity Plan
States Strictly Enforcing GLB Compliance
- DC
- Maryland
- Massachusetts
- Virginia
- Texas
- New York
Remember to add those non-policy items
- List of hardware (investor)
- List of software and cloud services
- List of vendors (investors, office tech, processors, etc. )
- Cyber Insurance Policy